US7624428B2 - Apparatus and method for platform-independent identity manageability - Google Patents

Apparatus and method for platform-independent identity manageability Download PDF

Info

Publication number
US7624428B2
US7624428B2 US11/171,080 US17108005A US7624428B2 US 7624428 B2 US7624428 B2 US 7624428B2 US 17108005 A US17108005 A US 17108005A US 7624428 B2 US7624428 B2 US 7624428B2
Authority
US
United States
Prior art keywords
platform
mid
user
independent
manager
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US11/171,080
Other versions
US20070006281A1 (en
Inventor
Sameer Abhinkar
Selim Aissi
Jane Dashevsky
Abhay Dharmadhikari
Benjamin J. Matasar
Mrudula Yelamanchi
Scott Blum
Shelagh Ann Callahan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corp filed Critical Intel Corp
Priority to US11/171,080 priority Critical patent/US7624428B2/en
Assigned to INTEL CORPORATION reassignment INTEL CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BLUM, SCOTT, CALLAHAN, SHELAGH ANN, DHARMADHIKARI, ABHAY, MATASAR, BENJAMIN J., ABHINKAR, SAMEER, DASHEVSKY, JANE, YELAMANCHI, MRUDULA, AISSI, SELIM
Publication of US20070006281A1 publication Critical patent/US20070006281A1/en
Application granted granted Critical
Publication of US7624428B2 publication Critical patent/US7624428B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6236Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database between heterogeneous systems

Definitions

  • One or more embodiments relate generally to the field of integrated circuit and computer system design. More particularly, one or more of the embodiments relate to a method and apparatus for platform and device independent identity manageability.
  • a person might have: (1) personal identities such as a driver's license, social security number or passport; (2) identities related to devices, such as passwords to get into computers, personal digital assistants (PDA), cellular telephones and answering machines; (3) log-ins to access home networks, enterprise networks, wireless hotspots and cellular networks; and (4) accounts to access the web, e-mail, on-line businesses (e.g., eBay and Amazon), instant messaging, short message service (SMS), and voice message services.
  • PDA personal digital assistants
  • SMS short message service
  • FIG. 1 is a block diagram illustrating a peer-to-peer wireless network configuration for platform-independent identity management, in accordance with one embodiment.
  • FIG. 2 is a block diagram illustrating a wireless network (WLAN) configuration for platform-independent identity management, in accordance with one embodiment.
  • WLAN wireless network
  • FIG. 3 is a block diagram illustrating a wireless configuration of a manageable identification (MID) manager platform for platform-independent identity management, in accordance with one embodiment.
  • MID manageable identification
  • FIG. 4 is a block diagram further illustrating a user/target platform of FIGS. 1 and 2 , in accordance with one embodiment.
  • FIG. 5 is a block diagram further illustrating the communications interface of FIGS. 3 and 4 , in accordance with one embodiment.
  • FIG. 6 is a flowchart illustrating a method for creating and registering a platform-independent MID, in accordance with one embodiment.
  • FIG. 7 is a flowchart illustrating a method for resource verification of a target platform in response to a user request to move a platform-independent MID to the target platform, in accordance with one embodiment.
  • FIG. 8 is a flowchart illustrating a method for moving a platform-independent MID from a user platform to trusted storage of a target platform, in accordance with one embodiment.
  • FIG. 9 is a block diagram illustrating various design representations or formats for simulation, emulation and fabrication of a design using the disclosed techniques.
  • the method includes validation of a manageable identity (MID) held within trusted storage of a user platform according to a user request to move the MID to a target platform. Once the MID is validated, available resources of the target platform are verified according to resource requirements of the MID. Once verified, the MID may be moved from the user platform to trusted storage provided by the target platform.
  • a platform-independent MID may be established that may be moved from a user platform to a non-compatible target platform, such that the platform-independent MID is not constrained to just one single platform.
  • wireless client or “client” is used to refer to wireless devices including, but not limited to, personal computers including laptop computers, equipped with wireless adapter cards, as well as personal digital assistants (PDAs), appliances, and the like devices configured to communicate via a wireless communications medium such as, for example, radio frequency (RF) waves.
  • wireless station or “station” is used to refer to devices including, but not limited to, wireless base stations, wireless access points (AP), computers such as server computers, personal computers, laptops, PDAs, or like devices configured to restrict access to stored information contained therein or to an attached wired network.
  • AP wireless access points
  • a “platform” includes any product that performs operations for subsequent analysis and verification of the platform's operations.
  • Examples of the platform include, but are not limited or restricted to a computer (e.g., desktop, a laptop, a server, a workstation, a personal digital assistant or other held-held, etc.); communication equipment (e.g., wireless handset, facsimile, cellular phone, etc.); a television set-top box; a wireless client, wireless station and the like.
  • a “link” is broadly defined as one or more information-carrying mediums such as electrical wire, optical fiber, cable, trace, or even a wireless channel using infrared, radio frequency (RF), or any other wireless signaling mechanism.
  • RF radio frequency
  • a “software module” includes code that, when executed, performs a certain function. Examples of a software module include an application, an applet, or even a series of code instructions, possibly a subset of code from an applet, acting as a lesser sized software module.
  • a “cryptographic operation” is an operation performed for additional data security.
  • one type of cryptographic operation involves digital signing information to produce a digital signature. This digital signing operation may be in accordance with Digital Signature Algorithm (DSA).
  • DSA Digital Signature Algorithm
  • Another type of cryptographic operation involves hashing, namely a one-way conversion of information to a fixed-length representation. Often, this representation, referred to as a “hash value” or an “identifier”, is substantially less in size than the original information. It is contemplated that, in some cases, a 1:1 conversion of the original information may be performed.
  • FIG. 1 is a block diagram illustrating a peer-to-peer (ad-hoc) configuration for a wireless network 100 , in accordance with one embodiment of the invention.
  • FIG. 2 illustrates an infrastructure mode or basic service set (BSS) wireless local area network (WLAN) configuration 150 , in accordance with one embodiment.
  • BSS basic service set
  • WLAN wireless local area network
  • wireless networks 100 and 150 may be configured according to a “wireless protocol” including, but not limited to the Institute of Electrical and Electronic Engineers (IEEE) 802.11 Standard (e.g., IEEE Std. 802.11-1997, 802.11a, 802.11.e, 802.11n, etc.), Hyper LAN 2 and future potential standards for any point-to-point wireless link or network.
  • IEEE Institute of Electrical and Electronic Engineers
  • network 100 is configured according to an ad hoc mode as independent basic service set (IBSS).
  • IBSS independent basic service set
  • two or more wireless clients 200 ( 200 - 1 , . . . , 200 -N) are equipped with, for example, wireless adapter cards to communicate within wireless network 100 as well as server computer 400 .
  • each client 200 sends all communications to a WLAN access point (station) 160 .
  • station 160 acts as a bridge to resources of a wired network 170 , such as server computer 400 .
  • Wired network 170 may implement a local area network (LAN) using an Ethernet protocol, Home Plug protocol, or the like.
  • LAN local area network
  • server computer is referred to as “manageable identity (MID) manager platform” 400 , which may participate in wireless network 100 , as shown in FIG. 1 , or may be coupled to wired network 170 , as shown in FIG. 2 .
  • wireless client 200 - 1 referred to herein as “user platform” 200 - 1 .
  • wireless client 200 - 2 referred to herein as “target platform” 200 - 2
  • target platform may participate within wireless network 100 or access wired network 170 via station access point 160 .
  • user platform 200 - 1 , target platform 200 - 2 and MID manager platform 400 are configured to provide platform-independent identity manageability, according to one embodiment.
  • target platform 200 - 2 and access point (station) 160 establish a relationship or an association.
  • target platform 200 - 2 may listen for beacon messages to identify stations within range.
  • wireless network 100 and WLAN 150 may be governed by the wired equivalency protocol (WEP) or other like authentication protocol.
  • WEP wired equivalency protocol
  • target platform 200 - 2 and station 160 may perform a mutual authentication by exchanging several management frames as part of the process.
  • the WEP protocol provides two mechanisms for authentication, open system authentication and shared key authentication.
  • open system authentication for example, as used by wireless network 100 , provides access to anyone that requests authentication by providing a null authentication process.
  • shared key authentication uses a standard challenge and response being based upon knowledge of secret keys to provide authentication.
  • target platform moves from an authenticated and unassociated, first state into an authenticated and unassociated, second state.
  • Moving from the second state to an authenticated and associated, final state involves target platform 200 - 2 sending an association request frame and the station 160 responding with an association response frame.
  • access to the wireless networks 100 and 150 is just one example where an identity of both the users and their devices must be provided to gain access.
  • a manageable identity is defined as a set of components (hardware and software dependent) comprising of assertions (e.g., username/passwords, digital certificate, etc.), preferences, resource-dependencies, mechanisms that use the assertions, and the policies that define the access levels for the MID.
  • assertions e.g., username/passwords, digital certificate, etc.
  • preferences e.g., preferences, resource-dependencies, mechanisms that use the assertions, and the policies that define the access levels for the MID.
  • a platform independent MID forms a shell around the device/user identity.
  • a platform-independent MID may be established that may be moved from a user platform to a non-compatible target platform, such that the platform-independent MID is not constrained to just one single platform.
  • FIG. 3 is a block diagram illustrating user/target platform 200 , including MID logic 300 to provide platform-independent MIDs, in accordance with one embodiment.
  • user/target platform 200 may include optional battery 206 , a microprocessor 202 , which uses chipset 210 to access main memory 220 , user interface (UI) 230 and communications interface 260 .
  • memory 200 includes, but is not limited to random access memory (RAM), dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), double data rate (DDR) SDRAM (DDR-SDRAM), Rambus DRAM (RDRAM) or any device capable of supporting high-speed buffering of data.
  • the term “chipset” is used in a manner well know to those of ordinary skill in the art to describe, collectively, the various devices coupled to CPU 202 to perform desired system functionality.
  • communications interface 260 is, for example, a wireless adapter card, which operates according to a multiple input/multiple output (NMMO) operation.
  • user/target platform 200 includes multiple transmit (TX) and receive (RX) antennas 280 ( 280 - 1 , . . . , 280 -N).
  • TX transmit
  • RX receive
  • user/target platform 200 provides multiple TX and RX antennas.
  • medium access control (MAC) layer functionality and physical layer (PHY) layer functionality are provided by communication interface 260 .
  • MID logic 300 includes MID transfer logic 310 to initiate a move of an MID established by user/target platform 200 using MID establishment logic 340 .
  • MID establishment logic 440 enables the definition of an MID with a resource description defined in a known format (for example, extensible mark-up language (XML)).
  • the resource description requires the presence of trusted storage on a target platform to provide secure storage of the established MID if moved to, for example, target platform 200 - 2 .
  • MID logic 300 may be implemented within chipset 210 or may be provided as firmware or software running in a secure portion of user/target platform 200 or a non-secured partition of the platform.
  • MID access logic 350 provides capabilities for using MID 254 for providing access to wireless networks, Internet resources, device resources or other like digital services requiring protected access.
  • MID logic 300 enables establishment of a platform-independent MID, which may combine the various assertions, preferences, resource dependencies, mechanisms that use assertions and policies to define the access levels (MID) to enable a user to seamlessly access the digital world to gain desired access to various services desired by the user without being constrained by a multitude of usernames, passwords, certificates or other like device or user identification data.
  • FIG. 4 is a block diagram further illustrating MID manager platform 400 to support an for platform-independent identity manageability, in accordance with one embodiment.
  • MID manager platform 400 includes similar components to user/target platform 200 , including microprocessor 402 , chipset 410 , memory 420 , user interface (IU) 430 and communications interface 460 .
  • MID manager platform 400 includes MID management logic 500 to enable transfer of platform-independent MIDs.
  • MID manager platform 400 includes MID management logic 500 to provide an MID framework to manage the way MIDs are accessed, updated and operated, for example, by user/target platform 200 , as shown in FIGS. 1 and 2 .
  • MID management logic 500 includes MID transfer logic 510 to provide the ability to move an MID from, for example, a user platform 200 - 1 to a non-compatible target platform 200 - 2 to allow the MID to perform its required functions on the target platform 202 - 2 .
  • MID management logic 500 ensures that the MID established on the user platform 200 - 1 can be successfully and securely moved to target platform 200 - 2 .
  • MID validation logic 560 performs validation of the MID, established within user platform 200 - 1 and invokes resource validation logic 530 to query available resources of target platform 200 - 2 using, for example, resource enumeration module 540 .
  • platform registration module 550 is used by MID manager platform 400 to register both the user platform 200 - 1 and the target platform 200 - 2 to initiate the move of the MID from the user platform 200 - 1 to the target platform 200 - 2 .
  • MID management logic 500 may be implemented within chipset 410 or may be provided as firmware or software running in a secure portion of MID manager platform 400 or a non-secured partition of the platform. In accordance with one embodiment, MID management logic 500 performs the life cycle management for registered MIDs residing on user platforms.
  • MID manager platform 400 , user platform 200 - 1 and target platform 200 - 2 include a trusted hardware device (THD).
  • TCG Trusted Computing Group
  • TCG has developed a standard to provide the industry with a set of operation conditions that enables trust in computer platforms and environments.
  • TCG Specification entitled “Main Specification Version 1.2,” published on Apr. 28, 2004, each personal computer (PC) is implemented with a trusted hardware device referred to as a Trusted Platform Module (TPM).
  • TPM Trusted Platform Module
  • the THD of MID manager platform 400 , user platform 200 - 1 and target platform 200 - 2 is a TPM, as defined by the TCG Specification.
  • user/target platform 200 includes roots of trust storage (RTS) 250 .
  • the proposed behavior of a TCG enabled device requires roots of trust or components that must be trusted because misbehavior of such components may not be detected.
  • TCG there are commonly three roots of trust in a trusted platform: a root of trust for measurement (RTM), a root of trust for storage (RTS) and a root of trust for reporting (RTR).
  • RTM root of trust for measurement
  • RTS root of trust for storage
  • RTS 250 protects keys and data entrusted to TPM 240 .
  • the RTS 250 manages a small amount of volatile memory where keys are held while performing signing and decryption operations. Inactive keys may be encrypted and moved off-chip to make room for other more active keys.
  • a TPM_Seal operation is where the external data is presented to the TPM, and in different operations, the TPM encrypts the external data using the public part of a storage key.
  • the primary security property of this operation is the data “sealed” is available only on the specific platform containing the Storage key because the TPM will not perform the seal or unseal operation using a migratable key.
  • the TPM_Unbind operation decrypts, using the private part of a key, a blob that was encrypted by an entity outside the TPM using the associated public key. It is important to note that in both the “seal” and “bind” operations, the contents of the data to be operated upon are opaque to the TPM; i.e., the TPM does care or peek at the data.
  • MID registration logic 320 provides registration capability to register a user platform 200 - 1 to enable validation of an MID established within the platform.
  • establishment of the MID requires that the MID is protected by a trusted storage, such as TPM 240 , as shown in FIGS. 3 and 4 .
  • TPM 240 includes RTS 250 to store an MID storage key 252 , which is used to seal the MID blob 254 established on the user platform 200 .
  • the MID is encrypted and stored within memory 220 as MID blob 254 .
  • an MID is validated if it is stored, for example, as an MID blob 254 within non-volatile memory 220 of a user platform 200 - 1 .
  • FIG. 5 is a simplified block diagram further illustrating communications interface 260 , as shown in FIGS. 3 and 4 , in accordance with one embodiment.
  • Any WLAN station 200 / 400 may provide support for IEEE 802.11 Standard by including a physical layer (PHY) signaling control device (PHY device) 260 , a medium access control (MAC) device 264 , and a MAC client 262 .
  • PHY device physical layer
  • MAC device medium access control
  • communications interface 260 supports station services, which are provided by PHY device 270 and MAC device 264 , and used by MAC client 262 . These services may include authentication, deauthentication, privacy, and delivery of data
  • the MAC client 262 creates and processes data, among other things.
  • the purpose of the PHY and MAC devices 270 , 264 is to ensure that two network stations are communicating with the correct frame format and protocol.
  • An lEEE Std. 802.11 defines the communication protocol between network stations.
  • the function of the PHY device 270 is threefold: 1) to provide a frame exchange between the MAC 264 and PHY 270 under the control of a physical layer convergence procedure (PLCP) sublayer; 2) to transmit data frames over the air interface under the control of the physical medium dependent (PMD) sublayer; and 3) to provide a carrier sense indication back to the MAC 264 so the MAC 264 is able to verify activity on the air interface.
  • PHY device is modified to provide a combined rate and TX antenna selection mechanism.
  • the PHY device 270 includes PLCP apparatus 272 , and transmit and receive PMD apparatuses 272 , 274 . Each of these may or may not use some or all of the same physical circuitry (e.g., processors, busses, clocks, storage, etc.).
  • a plurality of antennas 280 ( 280 - 1 , . . . , 280 -N) may be interconnected with PMD apparatus 272 , 274 . Procedural methods for implementing one or more embodiments are now described.
  • FIG. 6 the particular methods associated with embodiments of the invention are described in terms of computer software and hardware with reference to a flowchart.
  • the methods to be performed by a computing device may constitute state machines or computer programs made up of computer-executable instructions.
  • the computer-executable instructions may be written in a computer program and programming language or embodied in firmware logic. If written in a programming language conforming to a recognized standard, such instructions can be executed in a variety of hardware platforms and for interface to a variety of operating systems.
  • embodiments of the invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement embodiments of the invention as described herein. Furthermore, it is common in the art to speak of software, in one form or another (e.g., program, procedure, process, application, etc.), as taking an action or causing a result. Such expressions are merely a shorthand way of saying that execution of the software by a computing device causes the device to perform an action or produce a result.
  • FIG. 6 is a flowchart illustrating a method 600 for platform-independent identity manageability, in accordance with one embodiment.
  • examples of the described embodiments will be made with reference to FIGS. 1-5 .
  • the described embodiments should not be limited to the examples provided to limit the scope of the various embodiments, as defined by the appended claims.
  • a user creates a platform-independent MID on a user platform and secures the MID using a TPM.
  • MID establishment logic 340 enables the establishment of a platform-independent MID, which is stored as MID blob 254 within non-volatile memory 220 of user platform 200 .
  • a MID storage key 252 which is used to seal the MID as MID blob 254 , is contained within RTS 250 of TPM 240 .
  • the user registers the MID with, for example, MID manager 400 , as shown in FIG. 4 .
  • MID registration is performed using MID registration logic 420 ( FIG. 4 ) and corresponding MID registration logic 350 , as shown in FIG. 3 .
  • the user registers the target platform 200 - 2 to which the user desires movement of the MID to indicate that resources of the target platform meet resource requirements of the established MID.
  • FIG. 6 illustrates user establishment of the platform-independent MID on user platform 200 - 1
  • the platform-independent MID is assigned to the user platform 200 - 1 by a trusted identity provider, such as, for example, MID manager platform 400 .
  • control flow transitions to a method 640 , as shown in FIG. 7 .
  • the user may initiate a move of the MID from user platform 200 - 1 to the target platform 200 - 2 using, for example, MID transfer logic 310 ( FIG. 3 ).
  • the MID manager platform 400 may perform validation of the MID using MID validation logic 560 (FIG. 4 ,) for example, to ensure that the MID is held within trusted storage of the user platform 200 - 1 .
  • the MID manager platform 400 may perform resource validation of the target platform 200 - 2 using, for example, resource validation logic 530 ( FIG. 4 .)
  • resource validation logic 530 includes resource enumeration module 540 .
  • resource enumeration module is contained within MID logic 300 , as shown in FIG. 3 , of target platform 200 - 2 .
  • resource enumeration module 540 queries the target platform for available resources.
  • the target platform returns an enumerated list of available resources.
  • MID validation logic 360 performs a resource requirement check to determine whether the MID can be securely moved and securely maintained within the target platform 200 - 2 .
  • the MID validation logic verifies whether the target platform meets requirements.
  • such requirements include the presence of trusted storage, such as, for example, TPM 240 / 440 , as shown in FIGS. 3 and 4 .
  • the detection of, for example, a TPM within the target platform ensures that the MID may be securely moved from the user platform 200 - 1 to the target platform 200 - 2 . Accordingly, at process block 662 , if the resources of target platform 200 - 2 are verified, control follow branches to method 670 , as shown in FIG. 8 ,
  • MID manager platform 400 may perform mutual authentication with the user platform 200 - 1 using, for example, MID transfer logic 510 .
  • MID package logic 520 may be used to package the MID to move the MID from the user platform 200 - 1 to the target platform 200 - 2 , as shown at process block 690 .
  • MID management logic 500 in combination with MID logic 400 , enable the creation of a platform-independent MIDs and provide life cycle management of these platform-independent MIDs, which can scale a wide variety of platforms. Accordingly, by creating platform-independent MIDs, services may be generated by service/identity providers and different devices or categories of a device.
  • the target platform 200 - 2 may seamlessly access various environments. Accordingly, seamless access of the various environments may be provided by using the platform-independent MID in combination with MID access logic 350 , as shown in FIG. 3 , to perform some form of platform or/and user identification to gain access.
  • FIG. 9 is a block diagram illustrating various representations or formats for simulation, emulation and fabrication of a design using the disclosed techniques.
  • Data representing a design may represent the design in a number of manners.
  • the hardware may be represented using a hardware description language, or another functional description language, which essentially provides a computerized model of how the designed hardware is expected to perform.
  • the hardware model 710 may be stored in a storage medium 700 , such as a computer memory, so that the model may be simulated using simulation software 720 that applies a particular test suite 730 to the hardware model to determine if it indeed functions as intended.
  • the simulation software is not recorded, captured or contained in the medium.
  • the data may be stored in any form of a machine readable medium.
  • An optical or electrical wave 760 modulated or otherwise generated to transport such information, a memory 750 or a magnetic or optical storage 740 , such as a disk, may be the machine readable medium. Any of these mediums may carry the design information.
  • the term “carry” e.g., a machine readable medium carrying information
  • the set of bits describing the design or a particular of the design are (when embodied in a machine readable medium, such as a carrier or storage medium) an article that may be sealed in and out of itself, or used by others for further design or fabrication.
  • Elements of embodiments of the present invention may also be provided as a machine-readable medium for storing the machine-executable instructions.
  • the machine-readable medium may include, but is not limited to, flash memory, optical disks, compact disks-read only memory (CD-ROM), digital versatile/video disks (DVD) ROM, random access memory (RAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic or optical cards, propagation media or other type of machine-readable media suitable for storing electronic instructions.
  • embodiments of the invention may be downloaded as a computer program which may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a modem or network connection).
  • a remote computer e.g., a server
  • a requesting computer e.g., a client
  • a communication link e.g., a modem or network connection

Abstract

An apparatus and method for platform and device independent identity manageability. In one embodiment, the method includes validation of a manageable identity (MID) held within trusted storage of a user platform according to a user request to move the MID to a target platform. Once the MID is validated, available resources of the target platform are verified according to resource requirements of the MID. Once verified, the MID may be moved from the user platform to trusted storage provided by the target platform. In one embodiment, a platform-independent MID may be established that may be moved from a user platform to a non-compatible target platform, such that the platform-independent MID is not constrained to just one single platform. Other embodiments are described and claimed.

Description

FIELD
One or more embodiments relate generally to the field of integrated circuit and computer system design. More particularly, one or more of the embodiments relate to a method and apparatus for platform and device independent identity manageability.
BACKGROUND
As the world grows increasingly digital, the number of digital identities required to access the digital world are continually increasing. These digital identities may be associated with multiple devices, networks, services and organizations. Unfortunately, mechanisms for managing these identities, including the credentials used to access our devices and services, and the policies controlling where and how we expose our identities are lacking.
The sheer number of digital identities required for accessing the digital world is reaching the point where they are becoming personally and organizationally difficult to manage. For instance, a person might have: (1) personal identities such as a driver's license, social security number or passport; (2) identities related to devices, such as passwords to get into computers, personal digital assistants (PDA), cellular telephones and answering machines; (3) log-ins to access home networks, enterprise networks, wireless hotspots and cellular networks; and (4) accounts to access the web, e-mail, on-line businesses (e.g., eBay and Amazon), instant messaging, short message service (SMS), and voice message services.
Whether it is trying to remember a user name and a password, or keying in a wireless access code, people experience daily problems dealing with the multitudinous identities required for access to their devices, networks and services. As a result, people look for ways to simplify their identities. Often, management of such identities results in reuse of the same password for each account of a user. Others maintain long, easily stolen lists of the user names and passwords. As a result, the multitudinous digital identities required for access to devices, networks and services are creating trouble for individuals to easily keep track of such information, while jeopardizing protection against unauthorized access to their devices, networks and services.
BRIEF DESCRIPTION OF THE DRAWINGS
The various embodiments of the present invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
FIG. 1 is a block diagram illustrating a peer-to-peer wireless network configuration for platform-independent identity management, in accordance with one embodiment.
FIG. 2 is a block diagram illustrating a wireless network (WLAN) configuration for platform-independent identity management, in accordance with one embodiment.
FIG. 3 is a block diagram illustrating a wireless configuration of a manageable identification (MID) manager platform for platform-independent identity management, in accordance with one embodiment.
FIG. 4 is a block diagram further illustrating a user/target platform of FIGS. 1 and 2, in accordance with one embodiment.
FIG. 5 is a block diagram further illustrating the communications interface of FIGS. 3 and 4, in accordance with one embodiment.
FIG. 6 is a flowchart illustrating a method for creating and registering a platform-independent MID, in accordance with one embodiment.
FIG. 7 is a flowchart illustrating a method for resource verification of a target platform in response to a user request to move a platform-independent MID to the target platform, in accordance with one embodiment.
FIG. 8 is a flowchart illustrating a method for moving a platform-independent MID from a user platform to trusted storage of a target platform, in accordance with one embodiment.
FIG. 9 is a block diagram illustrating various design representations or formats for simulation, emulation and fabrication of a design using the disclosed techniques.
 DETAILED DESCRIPTION
A method and apparatus for platform-independent identity manageability are described. In one embodiment, the method includes validation of a manageable identity (MID) held within trusted storage of a user platform according to a user request to move the MID to a target platform. Once the MID is validated, available resources of the target platform are verified according to resource requirements of the MID. Once verified, the MID may be moved from the user platform to trusted storage provided by the target platform. In one embodiment, a platform-independent MID may be established that may be moved from a user platform to a non-compatible target platform, such that the platform-independent MID is not constrained to just one single platform.
In the following description, certain terminology is used to discuss features of the present invention. As described herein, the term “wireless client” or “client” is used to refer to wireless devices including, but not limited to, personal computers including laptop computers, equipped with wireless adapter cards, as well as personal digital assistants (PDAs), appliances, and the like devices configured to communicate via a wireless communications medium such as, for example, radio frequency (RF) waves. Furthermore, as described herein, the term “wireless station” or “station” is used to refer to devices including, but not limited to, wireless base stations, wireless access points (AP), computers such as server computers, personal computers, laptops, PDAs, or like devices configured to restrict access to stored information contained therein or to an attached wired network.
As described herein, a “platform” includes any product that performs operations for subsequent analysis and verification of the platform's operations. Examples of the platform include, but are not limited or restricted to a computer (e.g., desktop, a laptop, a server, a workstation, a personal digital assistant or other held-held, etc.); communication equipment (e.g., wireless handset, facsimile, cellular phone, etc.); a television set-top box; a wireless client, wireless station and the like. A “link” is broadly defined as one or more information-carrying mediums such as electrical wire, optical fiber, cable, trace, or even a wireless channel using infrared, radio frequency (RF), or any other wireless signaling mechanism.
In addition, the term “information” is defined as one or more bits of data, address, and/or control. A “software module” includes code that, when executed, performs a certain function. Examples of a software module include an application, an applet, or even a series of code instructions, possibly a subset of code from an applet, acting as a lesser sized software module.
A “cryptographic operation” is an operation performed for additional data security. For example, one type of cryptographic operation involves digital signing information to produce a digital signature. This digital signing operation may be in accordance with Digital Signature Algorithm (DSA). Another type of cryptographic operation involves hashing, namely a one-way conversion of information to a fixed-length representation. Often, this representation, referred to as a “hash value” or an “identifier”, is substantially less in size than the original information. It is contemplated that, in some cases, a 1:1 conversion of the original information may be performed.
System
FIG. 1 is a block diagram illustrating a peer-to-peer (ad-hoc) configuration for a wireless network 100, in accordance with one embodiment of the invention. FIG. 2 illustrates an infrastructure mode or basic service set (BSS) wireless local area network (WLAN) configuration 150, in accordance with one embodiment. In embodiments depicted in FIGS. 1 and 2, wireless networks 100 and 150 may be configured according to a “wireless protocol” including, but not limited to the Institute of Electrical and Electronic Engineers (IEEE) 802.11 Standard (e.g., IEEE Std. 802.11-1997, 802.11a, 802.11.e, 802.11n, etc.), Hyper LAN 2 and future potential standards for any point-to-point wireless link or network.
As shown in FIG. 1, network 100 is configured according to an ad hoc mode as independent basic service set (IBSS). Representatively, two or more wireless clients 200 (200-1, . . . , 200-N) are equipped with, for example, wireless adapter cards to communicate within wireless network 100 as well as server computer 400. As illustrated in FIG. 2, in the infrastructure mode, each client 200 sends all communications to a WLAN access point (station) 160. As such, the clients 200 communicate with station 160, which acts as a bridge to resources of a wired network 170, such as server computer 400. Wired network 170 may implement a local area network (LAN) using an Ethernet protocol, Home Plug protocol, or the like.
As illustrated in FIGS. 1 and 2, and as described herein, server computer is referred to as “manageable identity (MID) manager platform” 400, which may participate in wireless network 100, as shown in FIG. 1, or may be coupled to wired network 170, as shown in FIG. 2. Also illustrated in FIGS. 1 and 2 is wireless client 200-1, referred to herein as “user platform” 200-1. Likewise, as shown in FIGS. 1 and 2, wireless client 200-2, referred to herein as “target platform” 200-2, may participate within wireless network 100 or access wired network 170 via station access point 160. In one embodiment, user platform 200-1, target platform 200-2 and MID manager platform 400, as shown in FIGS. 1 and 2, are configured to provide platform-independent identity manageability, according to one embodiment.
As shown in FIG. 2, prior to participation in WLAN 150, target platform 200-2 and access point (station) 160 establish a relationship or an association. To associate with station 160 and WLAN 150, target platform 200-2 may listen for beacon messages to identify stations within range. In one embodiment, wireless network 100 and WLAN 150, as shown in FIGS. 1 and 2, may be governed by the wired equivalency protocol (WEP) or other like authentication protocol.
Referring again to FIGS. 1 and 2, after identifying station 160, target platform 200-2 and station 160 may perform a mutual authentication by exchanging several management frames as part of the process. The WEP protocol provides two mechanisms for authentication, open system authentication and shared key authentication. Generally, open system authentication, for example, as used by wireless network 100, provides access to anyone that requests authentication by providing a null authentication process. Conversely, shared key authentication uses a standard challenge and response being based upon knowledge of secret keys to provide authentication.
After successful authentication, target platform moves from an authenticated and unassociated, first state into an authenticated and unassociated, second state. Moving from the second state to an authenticated and associated, final state involves target platform 200-2 sending an association request frame and the station 160 responding with an association response frame. Accordingly, access to the wireless networks 100 and 150, as shown in FIGS. 1 and 2, is just one example where an identity of both the users and their devices must be provided to gain access.
On the Internet, user and device identities have several definitions: Username/password, certificates, SIM, smart card, etc. Furthermore, the multitude of devices available in the market for access to the digital world requires identities mapping to these plethora of available devices. As a result, a user may have multiple devices to enable access to the digital world. Consequently, each available manageable identity or MID cannot be constrained to just one single device.
As described herein, a manageable identity, or MID, is defined as a set of components (hardware and software dependent) comprising of assertions (e.g., username/passwords, digital certificate, etc.), preferences, resource-dependencies, mechanisms that use the assertions, and the policies that define the access levels for the MID. Accordingly, as described herein, a platform independent MID forms a shell around the device/user identity. In one embodiment, a platform-independent MID may be established that may be moved from a user platform to a non-compatible target platform, such that the platform-independent MID is not constrained to just one single platform.
FIG. 3 is a block diagram illustrating user/target platform 200, including MID logic 300 to provide platform-independent MIDs, in accordance with one embodiment. Representatively, user/target platform 200 may include optional battery 206, a microprocessor 202, which uses chipset 210 to access main memory 220, user interface (UI) 230 and communications interface 260. In one embodiment, memory 200 includes, but is not limited to random access memory (RAM), dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), double data rate (DDR) SDRAM (DDR-SDRAM), Rambus DRAM (RDRAM) or any device capable of supporting high-speed buffering of data. As described herein, the term “chipset” is used in a manner well know to those of ordinary skill in the art to describe, collectively, the various devices coupled to CPU 202 to perform desired system functionality.
In one embodiment, communications interface 260 is, for example, a wireless adapter card, which operates according to a multiple input/multiple output (NMMO) operation. In accordance with such an embodiment, user/target platform 200 includes multiple transmit (TX) and receive (RX) antennas 280 (280-1, . . . , 280-N). Representatively, user/target platform 200 provides multiple TX and RX antennas. In one embodiment, medium access control (MAC) layer functionality and physical layer (PHY) layer functionality are provided by communication interface 260.
Representatively, MID logic 300 includes MID transfer logic 310 to initiate a move of an MID established by user/target platform 200 using MID establishment logic 340. In one embodiment, MID establishment logic 440 enables the definition of an MID with a resource description defined in a known format (for example, extensible mark-up language (XML)). In one embodiment, the resource description requires the presence of trusted storage on a target platform to provide secure storage of the established MID if moved to, for example, target platform 200-2. Although illustrated as separate from chipset 210, MID logic 300 may be implemented within chipset 210 or may be provided as firmware or software running in a secure portion of user/target platform 200 or a non-secured partition of the platform.
As shown in FIG. 3, MID access logic 350 provides capabilities for using MID 254 for providing access to wireless networks, Internet resources, device resources or other like digital services requiring protected access. Accordingly, in one embodiment, MID logic 300, as shown in FIG. 3, enables establishment of a platform-independent MID, which may combine the various assertions, preferences, resource dependencies, mechanisms that use assertions and policies to define the access levels (MID) to enable a user to seamlessly access the digital world to gain desired access to various services desired by the user without being constrained by a multitude of usernames, passwords, certificates or other like device or user identification data.
FIG. 4 is a block diagram further illustrating MID manager platform 400 to support an for platform-independent identity manageability, in accordance with one embodiment. Representatively, MID manager platform 400 includes similar components to user/target platform 200, including microprocessor 402, chipset 410, memory 420, user interface (IU) 430 and communications interface 460. However, in contrast to user/target platform 200, MID manager platform 400 includes MID management logic 500 to enable transfer of platform-independent MIDs.
As shown in FIG. 4, MID manager platform 400 includes MID management logic 500 to provide an MID framework to manage the way MIDs are accessed, updated and operated, for example, by user/target platform 200, as shown in FIGS. 1 and 2. In one embodiment, MID management logic 500 includes MID transfer logic 510 to provide the ability to move an MID from, for example, a user platform 200-1 to a non-compatible target platform 200-2 to allow the MID to perform its required functions on the target platform 202-2.
Representatively, once an MID has been established within a user platform, such as, for example, user platform 200, as shown in FIGS. 1 and 2, MID management logic 500 ensures that the MID established on the user platform 200-1 can be successfully and securely moved to target platform 200-2. In one embodiment, MID validation logic 560 performs validation of the MID, established within user platform 200-1 and invokes resource validation logic 530 to query available resources of target platform 200-2 using, for example, resource enumeration module 540.
In one embodiment, as part of the process of moving an MID from user platform 200-1 to target platform 200-2, platform registration module 550 is used by MID manager platform 400 to register both the user platform 200-1 and the target platform 200-2 to initiate the move of the MID from the user platform 200-1 to the target platform 200-2. Although illustrated as separate from chipset 410, MID management logic 500 may be implemented within chipset 410 or may be provided as firmware or software running in a secure portion of MID manager platform 400 or a non-secured partition of the platform. In accordance with one embodiment, MID management logic 500 performs the life cycle management for registered MIDs residing on user platforms.
In one embodiment, MID manager platform 400, user platform 200-1 and target platform 200-2 include a trusted hardware device (THD). The Trusted Computing Group (TCG) has developed a standard to provide the industry with a set of operation conditions that enables trust in computer platforms and environments. In accordance with a TCG Specification entitled “Main Specification Version 1.2,” published on Apr. 28, 2004, each personal computer (PC) is implemented with a trusted hardware device referred to as a Trusted Platform Module (TPM). In one embodiment, the THD of MID manager platform 400, user platform 200-1 and target platform 200-2 is a TPM, as defined by the TCG Specification.
As further illustrated in FIG. 3, user/target platform 200 includes roots of trust storage (RTS) 250. The proposed behavior of a TCG enabled device requires roots of trust or components that must be trusted because misbehavior of such components may not be detected. As defined by the TCG, there are commonly three roots of trust in a trusted platform: a root of trust for measurement (RTM), a root of trust for storage (RTS) and a root of trust for reporting (RTR). The root of trust for storage, or RTS 250, protects keys and data entrusted to TPM 240. The RTS 250 manages a small amount of volatile memory where keys are held while performing signing and decryption operations. Inactive keys may be encrypted and moved off-chip to make room for other more active keys.
Hence, it is important to understand that all keys do not reside with the TPM 240 simultaneously. Rather, when they are created, they are assigned a parent storage key. The parent key is used to encrypt private components of the new key so it can be stored outside the TPM 240 as a “key blob” and remain protected. When needed, the key blob is reloaded and decrypted by the same parent key using operations such as TPM_Loadkey. A single parent key can protect any number of Child Keys and these child keys may have no relation to each other except that they are protected by the same Parent Key. However, an association may be created by the fact that the same Parent Key protects all of them; therefore, the authorization data required to use the Parent Key is required to load it's Child Keys.
A TPM_Seal operation is where the external data is presented to the TPM, and in different operations, the TPM encrypts the external data using the public part of a storage key. The primary security property of this operation is the data “sealed” is available only on the specific platform containing the Storage key because the TPM will not perform the seal or unseal operation using a migratable key. The TPM_Unbind operation decrypts, using the private part of a key, a blob that was encrypted by an entity outside the TPM using the associated public key. It is important to note that in both the “seal” and “bind” operations, the contents of the data to be operated upon are opaque to the TPM; i.e., the TPM does care or peek at the data.
Referring again to FIG. 3, MID registration logic 320 provides registration capability to register a user platform 200-1 to enable validation of an MID established within the platform. In one embodiment, establishment of the MID requires that the MID is protected by a trusted storage, such as TPM 240, as shown in FIGS. 3 and 4. Representatively, TPM 240 includes RTS 250 to store an MID storage key 252, which is used to seal the MID blob 254 established on the user platform 200. Representatively, the MID is encrypted and stored within memory 220 as MID blob 254. Accordingly, in one embodiment, an MID is validated if it is stored, for example, as an MID blob 254 within non-volatile memory 220 of a user platform 200-1.
FIG. 5 is a simplified block diagram further illustrating communications interface 260, as shown in FIGS. 3 and 4, in accordance with one embodiment. Any WLAN station 200/400 may provide support for IEEE 802.11 Standard by including a physical layer (PHY) signaling control device (PHY device) 260, a medium access control (MAC) device 264, and a MAC client 262. Representatively, communications interface 260 supports station services, which are provided by PHY device 270 and MAC device 264, and used by MAC client 262. These services may include authentication, deauthentication, privacy, and delivery of data
The MAC client 262 creates and processes data, among other things. The purpose of the PHY and MAC devices 270, 264 is to ensure that two network stations are communicating with the correct frame format and protocol. An lEEE Std. 802.11 defines the communication protocol between network stations.
The function of the PHY device 270 is threefold: 1) to provide a frame exchange between the MAC 264 and PHY 270 under the control of a physical layer convergence procedure (PLCP) sublayer; 2) to transmit data frames over the air interface under the control of the physical medium dependent (PMD) sublayer; and 3) to provide a carrier sense indication back to the MAC 264 so the MAC 264 is able to verify activity on the air interface. In one embodiment, PHY device is modified to provide a combined rate and TX antenna selection mechanism.
In general, the PHY device 270 includes PLCP apparatus 272, and transmit and receive PMD apparatuses 272, 274. Each of these may or may not use some or all of the same physical circuitry (e.g., processors, busses, clocks, storage, etc.). In addition, a plurality of antennas 280 (280-1, . . . , 280-N) may be interconnected with PMD apparatus 272, 274. Procedural methods for implementing one or more embodiments are now described.
Operation
Turning now to FIG. 6, the particular methods associated with embodiments of the invention are described in terms of computer software and hardware with reference to a flowchart. The methods to be performed by a computing device (e.g., a wireless station) may constitute state machines or computer programs made up of computer-executable instructions. The computer-executable instructions may be written in a computer program and programming language or embodied in firmware logic. If written in a programming language conforming to a recognized standard, such instructions can be executed in a variety of hardware platforms and for interface to a variety of operating systems.
In addition, embodiments of the invention are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement embodiments of the invention as described herein. Furthermore, it is common in the art to speak of software, in one form or another (e.g., program, procedure, process, application, etc.), as taking an action or causing a result. Such expressions are merely a shorthand way of saying that execution of the software by a computing device causes the device to perform an action or produce a result.
FIG. 6 is a flowchart illustrating a method 600 for platform-independent identity manageability, in accordance with one embodiment. In the embodiments described, examples of the described embodiments will be made with reference to FIGS. 1-5. However, the described embodiments should not be limited to the examples provided to limit the scope of the various embodiments, as defined by the appended claims.
Referring again to FIG. 6, at process block 610, a user creates a platform-independent MID on a user platform and secures the MID using a TPM. For example, as shown in FIG. 3, MID establishment logic 340 enables the establishment of a platform-independent MID, which is stored as MID blob 254 within non-volatile memory 220 of user platform 200. Representatively, a MID storage key 252, which is used to seal the MID as MID blob 254, is contained within RTS 250 of TPM 240. Once established, at process block 620, the user registers the MID with, for example, MID manager 400, as shown in FIG. 4.
In one embodiment, MID registration is performed using MID registration logic 420 (FIG. 4) and corresponding MID registration logic 350, as shown in FIG. 3. At process block 630, the user registers the target platform 200-2 to which the user desires movement of the MID to indicate that resources of the target platform meet resource requirements of the established MID. Although FIG. 6 illustrates user establishment of the platform-independent MID on user platform 200-1, in an alternative embodiment, the platform-independent MID is assigned to the user platform 200-1 by a trusted identity provider, such as, for example, MID manager platform 400. Following registration of target platform 200-2, at process block 630, control flow transitions to a method 640, as shown in FIG. 7.
As illustrated in FIG. 7, at process block 650, the user may initiate a move of the MID from user platform 200-1 to the target platform 200-2 using, for example, MID transfer logic 310 (FIG. 3). Once initiated, the MID manager platform 400 may perform validation of the MID using MID validation logic 560 (FIG. 4,) for example, to ensure that the MID is held within trusted storage of the user platform 200-1. Once validated, at process block 660, the MID manager platform 400 may perform resource validation of the target platform 200-2 using, for example, resource validation logic 530 (FIG. 4.)
As shown in FIG. 4, In one embodiment, resource validation logic 530 includes resource enumeration module 540. However, in an alternative embodiment, resource enumeration module is contained within MID logic 300, as shown in FIG. 3, of target platform 200-2. In one embodiment, resource enumeration module 540 queries the target platform for available resources. In response, the target platform returns an enumerated list of available resources. In response, MID validation logic 360 performs a resource requirement check to determine whether the MID can be securely moved and securely maintained within the target platform 200-2.
In one embodiment, the MID validation logic verifies whether the target platform meets requirements. In one embodiment, such requirements include the presence of trusted storage, such as, for example, TPM 240/440, as shown in FIGS. 3 and 4. In one embodiment, the detection of, for example, a TPM within the target platform ensures that the MID may be securely moved from the user platform 200-1 to the target platform 200-2. Accordingly, at process block 662, if the resources of target platform 200-2 are verified, control follow branches to method 670, as shown in FIG. 8,
As shown in FIG. 8, at process block 680, MID manager platform 400 may perform mutual authentication with the user platform 200-1 using, for example, MID transfer logic 510. Once mutual authentication is performed, MID package logic 520 may be used to package the MID to move the MID from the user platform 200-1 to the target platform 200-2, as shown at process block 690.
Accordingly, in one embodiment, MID management logic 500, in combination with MID logic 400, enable the creation of a platform-independent MIDs and provide life cycle management of these platform-independent MIDs, which can scale a wide variety of platforms. Accordingly, by creating platform-independent MIDs, services may be generated by service/identity providers and different devices or categories of a device.
Furthermore, using, for example, MID access logic 350, as shown in FIG. 3, the user platform, and subsequent to the move of the platform-independent MID, the target platform 200-2 may seamlessly access various environments. Accordingly, seamless access of the various environments may be provided by using the platform-independent MID in combination with MID access logic 350, as shown in FIG. 3, to perform some form of platform or/and user identification to gain access.
FIG. 9 is a block diagram illustrating various representations or formats for simulation, emulation and fabrication of a design using the disclosed techniques. Data representing a design may represent the design in a number of manners. First, as is useful in simulations, the hardware may be represented using a hardware description language, or another functional description language, which essentially provides a computerized model of how the designed hardware is expected to perform. The hardware model 710 may be stored in a storage medium 700, such as a computer memory, so that the model may be simulated using simulation software 720 that applies a particular test suite 730 to the hardware model to determine if it indeed functions as intended. In some embodiments, the simulation software is not recorded, captured or contained in the medium.
In any representation of the design, the data may be stored in any form of a machine readable medium. An optical or electrical wave 760 modulated or otherwise generated to transport such information, a memory 750 or a magnetic or optical storage 740, such as a disk, may be the machine readable medium. Any of these mediums may carry the design information. The term “carry” (e.g., a machine readable medium carrying information) thus covers information stored on a storage device or information encoded or modulated into or onto a carrier wave. The set of bits describing the design or a particular of the design are (when embodied in a machine readable medium, such as a carrier or storage medium) an article that may be sealed in and out of itself, or used by others for further design or fabrication.
Elements of embodiments of the present invention may also be provided as a machine-readable medium for storing the machine-executable instructions. The machine-readable medium may include, but is not limited to, flash memory, optical disks, compact disks-read only memory (CD-ROM), digital versatile/video disks (DVD) ROM, random access memory (RAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), magnetic or optical cards, propagation media or other type of machine-readable media suitable for storing electronic instructions. For example, embodiments of the invention may be downloaded as a computer program which may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of data signals embodied in a carrier wave or other propagation medium via a communication link (e.g., a modem or network connection).
It should be appreciated that reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Therefore, it is emphasized and should be appreciated that two or more references to “an embodiment” or “one embodiment” or “an alternative embodiment” in various portions of this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures or characteristics may be combined as suitable in one or more embodiments of the invention.
In the above detailed description of various embodiments of the invention, reference is made to the accompanying drawings, which form a part hereof, and in which are shown by way of illustration, and not of limitation, specific embodiments in which the invention may be practiced. In the drawings, like numerals describe substantially similar components throughout the several views. The embodiments illustrated are described in sufficient detail to enable those skilled in to the art to practice the teachings disclosed herein. Other embodiments may be utilized and derived therefrom, such that structural and logical substitutions and changes may be made without departing from the scope of this disclosure. The following detailed description, therefore, is not to be taken in a limiting sense, and the scope of various embodiments of the invention is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled.
Having disclosed embodiments and the best mode, modifications and variations may be made to the disclosed embodiments while remaining within the scope of the embodiments as defined by the following claims.

Claims (20)

1. A method comprising:
establishing a platform-independent manageable identity (MID) of a user on a first platform, the platform independent MID held within trusted storage of the first platform;
registering a second platform of the user with an MID manager platform; and
moving, by the MID manager platform, the platform-independent MID to trusted storage of the second platform according to the user request, and if available resources of the second platform meet resource requirements of the MID, enable support of the platform-independent MID to securely store the same MID of the user on both the first and second platforms of the user such that the MID is not constrained to just one single platform.
2. The method of claim 1, wherein establishing the MID further comprises:
registering the MID with the MID manager platform; and
issuing a request to the MID manager platform to move the platform-independent MID to the second platform.
3. The method of claim 1, wherein registering the second platform further comprises:
validating, by the MID manager platform, the platform-independent MID according to a received user request to move the MID to the second platform;
invoking, by the MID manager platform, a resource enumerator module to query for available resources of the second platform; and
issuing a resource verification to determine whether the available resources of the second platform meet resource requirements of the platform-independent MID.
4. The method of claim 1, wherein moving the MID further comprises:
authenticating, by the MID manager platform, the first platform;
packaging the MID; and
moving the packaged MID to the second platform during a secure communication session established with the second platform.
5. The method of claim 1, wherein the MID is assigned to the first platform by the MID manager platform.
6. An article of manufacture comprising a machine-accessible storage medium having associated program code, wherein the program code, when executed, results in a machine performing:
validating a platform-independent manageable identity (MID) of a user that is held within trusted storage of a first platform of the user, according to a user request to move the MID to a second platform of the user;
verifying that available resources of the second platform meet resource requirements of the MID held within the trusted storage of the first platform; and
moving the MID from the first platform to trusted storage of the second platform to securely store the same MID of the user on both the first and second platforms of the user such that the MID is not constrained to just one single platform.
7. The article of manufacture of claim 6, wherein the machine-accessible storage medium further includes data, which when accessed by the machine, further results in the machine performing:
assigning the MID to the first platform; and
storing, by the first platform, the MID within sealed storage of a trusted platform module (TPM) of the first platform.
8. The article of manufacture of claim 6, wherein verifying the available resources of the target platform further results in the machine performing:
invoking a resource enumerator to query for the available resources of the second platform; and
issuing a resource verification to determine whether the available resources of the second platform meet resource requirements of the MID.
9. The article of manufacture of claim 6, wherein moving the MID further results in the machine performing:
authenticating the first platform;
packaging the MID; and
establishing a secure communication session with the second platform to move the packaged MID to the sealed storage provided by a trusted platform module (TPM) of the second platform.
10. The article of manufacture of claim 6, wherein the machine-accessible storage medium further includes data, which when accessed by the machine, further results in the machine performing:
accessing, by the second platform, a protected resource using the MID moved from the first platform to the second platform.
11. A system comprising:
a first platform, including manageable identity (MID) logic to establish at least one platform-independent MID of a user within trusted storage of the first platform of the user;
a second platform of the user, including trusted storage; and
an MID manager platform registered by the second platform of the user, to move the platform-independent MID from the first platform to the trusted storage of the second platform, according to the user request, to securely store the same MID of the user on both the first and second platforms of the user if available resources of the second platform meet resource requirements of the MID such that the MID is not constrained to just one single platform.
12. A system of claim 11, wherein the MID manager platform further comprises:
MID validation logic to validate an MID held within the trusted storage of the first platform according to a user request to move the platform-independent MID from the first platform to the trusted storage of the second platform.
13. The system of claim 11, wherein the user platform further comprises:
a trusted platform module (TPM), including a processor and a non-volatile memory to provide sealed storage of at least one platform-independent MID.
14. The system of claim 11, wherein the target platform further comprises:
a trusted platform module (TPM), including a processor and a non-volatile memory to provide sealed storage of the platform-independent MID.
15. The system of claim 11, wherein the MID manager platform further comprises:
MID transfer logic to authenticate the first platform, to package the MID, and to move the packaged MID to the second platform during a secure communication session established with the second platform.
16. The system of claim 11, wherein the second platform further comprises:
resource verification logic to provide an enumerated list of available target platform resource according to a resource validation request issued by the MID manager platform.
17. The system of claim 11, wherein the target platform further comprises:
resource verification logic to invoke a resource enumerator module to query for available resources of the second platform and to issue a resource verification to determine whether the available resources of the second platform meet resource requirements of the platform-independent MID.
18. The system of claim 11, wherein the first platform further comprises:
MID transfer logic to register the platform-independent MID with the MID manager platform and to issue a request to the MID manager platform to move the MID from the first platform to the trusted storage of the second platform.
19. The system of claim 11, further comprising:
a network coupled to the first platform and the MID manager platform; and
an access point coupled to the network.
20. The system of claim 19, wherein the target platform further comprises:
a communications interface coupled to a plurality of antennas for over-the-air (OTA) communication with the access port; and
a chipset including a trusted platform module (TPM), the chipset to receive the platform-independent MID from the SD manage platform via the communications interface and to store the platform-independent MID within sealed storage provided by the TPM.
US11/171,080 2005-06-30 2005-06-30 Apparatus and method for platform-independent identity manageability Expired - Fee Related US7624428B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/171,080 US7624428B2 (en) 2005-06-30 2005-06-30 Apparatus and method for platform-independent identity manageability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/171,080 US7624428B2 (en) 2005-06-30 2005-06-30 Apparatus and method for platform-independent identity manageability

Publications (2)

Publication Number Publication Date
US20070006281A1 US20070006281A1 (en) 2007-01-04
US7624428B2 true US7624428B2 (en) 2009-11-24

Family

ID=37591442

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/171,080 Expired - Fee Related US7624428B2 (en) 2005-06-30 2005-06-30 Apparatus and method for platform-independent identity manageability

Country Status (1)

Country Link
US (1) US7624428B2 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080256594A1 (en) * 2007-04-10 2008-10-16 Symantec Corporation Method and apparatus for managing digital identities through a single interface
US20120260345A1 (en) * 2011-04-05 2012-10-11 Assured Information Security, Inc. Trust verification of a computing platform using a peripheral device
US10304282B2 (en) 2016-01-28 2019-05-28 Playtech Software Limited Autonomously operating computerized gaming platforms and method of operating thereof

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7861068B2 (en) * 2006-03-07 2010-12-28 Intel Corporation Method and apparatus for using dynamic workload characteristics to control CPU frequency and voltage scaling
US8898323B2 (en) * 2008-10-22 2014-11-25 Qualcomm Incorporated Mobility protocol selection in a multi-internet protocol mobility environment
US8683048B2 (en) * 2008-11-26 2014-03-25 Qualcomm Incorporated Apparatus and method for selecting IP services
US10185594B2 (en) * 2009-10-29 2019-01-22 International Business Machines Corporation System and method for resource identification
US20150053565A1 (en) * 2013-08-26 2015-02-26 Lam Research Corporation Bottom-up fill in damascene features

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6851052B1 (en) 1998-12-10 2005-02-01 Telcordia Technologies, Inc. Method and device for generating approximate message authentication codes
US20050289341A1 (en) * 2004-06-24 2005-12-29 Nokia Corporation System and method of authenticating a user to a service provider
US7177424B1 (en) 1999-06-22 2007-02-13 Hitachi, Ltd. Cryptographic apparatus and method
US7346923B2 (en) * 2003-11-21 2008-03-18 International Business Machines Corporation Federated identity management within a distributed portal server
US7376826B2 (en) 2002-05-31 2008-05-20 Broadcom Corporation Methods and apparatus for performing encryption and authentication
US7400722B2 (en) 2002-03-28 2008-07-15 Broadcom Corporation Methods and apparatus for performing hash operations in a cryptography accelerator
US7424615B1 (en) 2001-07-30 2008-09-09 Apple Inc. Mutually authenticated secure key exchange (MASKE)
US7464267B2 (en) 2004-11-01 2008-12-09 Innomedia Pte Ltd. System and method for secure transmission of RTP packets
US7480939B1 (en) 2000-04-28 2009-01-20 3Com Corporation Enhancement to authentication protocol that uses a key lease
US7487549B2 (en) 2002-04-15 2009-02-03 Sony Corporation Information processing apparatus, information processing method, recording medium, and program
US7492894B2 (en) 2003-11-04 2009-02-17 Sony Corporation Information-processing apparatus, control method, program and recording medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6851052B1 (en) 1998-12-10 2005-02-01 Telcordia Technologies, Inc. Method and device for generating approximate message authentication codes
US7177424B1 (en) 1999-06-22 2007-02-13 Hitachi, Ltd. Cryptographic apparatus and method
US7480939B1 (en) 2000-04-28 2009-01-20 3Com Corporation Enhancement to authentication protocol that uses a key lease
US7424615B1 (en) 2001-07-30 2008-09-09 Apple Inc. Mutually authenticated secure key exchange (MASKE)
US7400722B2 (en) 2002-03-28 2008-07-15 Broadcom Corporation Methods and apparatus for performing hash operations in a cryptography accelerator
US7487549B2 (en) 2002-04-15 2009-02-03 Sony Corporation Information processing apparatus, information processing method, recording medium, and program
US7376826B2 (en) 2002-05-31 2008-05-20 Broadcom Corporation Methods and apparatus for performing encryption and authentication
US7492894B2 (en) 2003-11-04 2009-02-17 Sony Corporation Information-processing apparatus, control method, program and recording medium
US7346923B2 (en) * 2003-11-21 2008-03-18 International Business Machines Corporation Federated identity management within a distributed portal server
US20050289341A1 (en) * 2004-06-24 2005-12-29 Nokia Corporation System and method of authenticating a user to a service provider
US7464267B2 (en) 2004-11-01 2008-12-09 Innomedia Pte Ltd. System and method for secure transmission of RTP packets

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080256594A1 (en) * 2007-04-10 2008-10-16 Symantec Corporation Method and apparatus for managing digital identities through a single interface
US7870597B2 (en) * 2007-04-10 2011-01-11 Symantec Corporation Method and apparatus for managing digital identities through a single interface
US20120260345A1 (en) * 2011-04-05 2012-10-11 Assured Information Security, Inc. Trust verification of a computing platform using a peripheral device
US8966642B2 (en) * 2011-04-05 2015-02-24 Assured Information Security, Inc. Trust verification of a computing platform using a peripheral device
US10304282B2 (en) 2016-01-28 2019-05-28 Playtech Software Limited Autonomously operating computerized gaming platforms and method of operating thereof

Also Published As

Publication number Publication date
US20070006281A1 (en) 2007-01-04

Similar Documents

Publication Publication Date Title
US11616775B2 (en) Network access authentication method, apparatus, and system
US20180152841A1 (en) System Of Multiple Domains And Domain Ownership
CN107852405B (en) Apparatus for content security for service layer
EP2543207B1 (en) Method and system for the migration of credentials and/or domains between trusted hardware subscription modules
US10855668B2 (en) Wireless device authentication and service access
US8381268B2 (en) Network authorization status notification
US7624428B2 (en) Apparatus and method for platform-independent identity manageability
EP1897268B1 (en) Method for refreshing a pairwise master key
US20110093938A1 (en) Methods, apparatuses, and computer program products for bootstrapping device and user authentication
US20200195445A1 (en) Registration method and apparatus based on service-based architecture
US20200186358A1 (en) Persistent network device authentication
JP2019508763A (en) Local device authentication
US20080209206A1 (en) Apparatus, method and computer program product providing enforcement of operator lock
US20070042754A1 (en) Security parameter provisioning in an open platform using 3G security infrastructure
US20060236116A1 (en) Provisioning root keys
US20170223534A1 (en) Systems and Methods for Authentication
JP2004180280A (en) Method and system for adaptive authorization
US20230344626A1 (en) Network connection management method and apparatus, readable medium, program product, and electronic device
US20190260587A1 (en) Security authentication method and system, and integrated circuit
WO2022111187A1 (en) Terminal authentication method and apparatus, computer device, and storage medium
Chifor et al. Security-oriented framework for internet of things smart-home applications
US20240039707A1 (en) Mobile authenticator for performing a role in user authentication
Nagy et al. Peershare: A system secure distribution of sensitive data among social contacts
CN114553426A (en) Signature verification method, key management platform, security terminal and electronic equipment
CN112423300A (en) Wireless network access authentication method and device

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTEL CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ABHINKAR, SAMEER;AISSI, SELIM;DASHEVSKY, JANE;AND OTHERS;REEL/FRAME:016639/0950;SIGNING DATES FROM 20050728 TO 20051004

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20211124